On Sat, 2006-11-18 at 10:53 +0000, Ian Malone wrote: > Then why is it on by default if permissive mode is broken and the > advice to people who experience problems is to turn it off and forget > about it? SELinux's on by default, because it usually works (i.e. what does work outnumbers what doesn't work, by a large degree, for most people). Permissive isn't the default, currently, at least. Permissive is used as a debugging mode (allow things to work, as if SELinux wasn't there, but logging what's happens, letting you work out what rules you want to configure). I'm not sure when it was discovered that permissive still blocked some things, but it was brought up while trying to resolve some CUPS issue, some time back. Only *some* of the advice is to disable it. Much of the advice is to work through the problem, and fix it. But when people throw their hands up in the air, declare it's too hard for them, and say that they're going to do something pointless with it (like run it in a manner that doesn't offer any protection), then they may as well not run it at all. It's simpler, the system has less work to do, and the results are more predictable. I hope that makes things a bit clearer. -- (Currently testing FC5, but still running FC4, if that's important.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
